Beyond Linux® From Scratch (systemd edition)
- Version 2016-12-09

Chapter 4. Security

stunnel-5.38

Introduction to stunnel

The stunnel package contains a
program that allows you to encrypt arbitrary TCP connections inside
SSL (Secure Sockets Layer) so you can easily communicate with
clients over secure channels. stunnel can be used to add SSL functionality
to commonly used Inetd daemons
such as POP-2, POP-3, and IMAP servers, along with standalone
daemons such as NNTP, SMTP, and HTTP. stunnel can also be used to tunnel PPP over
network sockets without changes to the server package source code.

This package is known to build and work properly using an LFS-7.10
platform.

Note

A signed SSL Certificate and a Private Key is necessary to run
the stunnel daemon.
After the package is installed, there are instructions to
generate them. However, if you own or have already created a
signed SSL Certificate you wish to use, copy it to /etc/stunnel/stunnel.pem before starting the
build (ensure only root has read
and write access). The .pem file
must be formatted as shown below:

Install the included systemd unit by running the following command
as the root user:

install -v -m644 tools/stunnel.service /lib/systemd/system

If you do not already have a signed SSL Certificate and Private
Key, create the stunnel.pem file in
the /etc/stunnel directory using the
command below. You will be prompted to enter the necessary
information. Ensure you reply to the

Common Name (FQDN of your server) [localhost]:

prompt with the name or IP address you will be using to access the
service(s).

To generate a certificate, as the root user, issue:

make cert

Command Explanations

make docdir=...
install: This command installs the package and
changes the documentation installation directory to standard naming
conventions.

Configuring stunnel

Config Files

/etc/stunnel/stunnel.conf

Configuration Information

As the root user, create the
directory used for the .pid file
created when the stunnel daemon
starts:

If you use stunnel to encrypt a
daemon started from [x]inetd, you may need to
disable that daemon in the /etc/[x]inetd.conf file and enable a
corresponding <service>_stunnel service.
You may have to add an appropriate entry in /etc/services as well.

For a full explanation of the commands and syntax used in the
configuration file, issue man
stunnel.

Systemd Unit

To start the stunnel daemon at boot, enable
the previously installed systemd
unit by running the following command as the root user: